[thirdparty/u-boot.git] / test / py / tests / test_efi_secboot / test_signed_intca.py

# SPDX-License-Identifier:      GPL-2.0+
# Copyright (c) 2020, Linaro Limited
# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
#
# U-Boot UEFI: Image Authentication Test (signature with certificates chain)

"""
This test verifies image authentication for a signed image which is signed
by user certificate and contains additional intermediate certificates in its
signature.
"""

import pytest


@pytest.mark.boardspec('sandbox')
@pytest.mark.buildconfigspec('efi_secure_boot')
@pytest.mark.buildconfigspec('cmd_efidebug')
@pytest.mark.buildconfigspec('cmd_fat')
@pytest.mark.buildconfigspec('cmd_nvedit_efi')
@pytest.mark.slow
class TestEfiSignedImageIntca(object):
    def test_efi_signed_image_intca1(self, u_boot_console, efi_boot_env_intca):
        """
        Test Case 1 - authenticated by root CA in db
        """
        u_boot_console.restart_uboot()
        disk_img = efi_boot_env_intca
        with u_boot_console.log.section('Test Case 1a'):
            # Test Case 1a, with no Int CA and not authenticated by root CA
            output = u_boot_console.run_command_list([
                'host bind 0 %s' % disk_img,
                'fatload host 0:1 4000000 db_c.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                'fatload host 0:1 4000000 KEK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                'fatload host 0:1 4000000 PK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
            assert 'Failed to set EFI variable' not in ''.join(output)

            output = u_boot_console.run_command_list([
                'efidebug boot add -b 1 HELLO_a host 0:1 /helloworld.efi.signed_a -s ""',
                'efidebug boot order 1',
                'efidebug test bootmgr'])
            assert '\'HELLO_a\' failed' in ''.join(output)
            assert 'efi_bootmgr_load() returned: 26' in ''.join(output)

        with u_boot_console.log.section('Test Case 1b'):
            # Test Case 1b, signed and authenticated by root CA
            output = u_boot_console.run_command_list([
                'efidebug boot add -b 2 HELLO_ab host 0:1 /helloworld.efi.signed_ab -s ""',
                'efidebug boot order 2',
                'bootefi bootmgr'])
            assert 'Hello, world!' in ''.join(output)

    def test_efi_signed_image_intca2(self, u_boot_console, efi_boot_env_intca):
        """
        Test Case 2 - authenticated by root CA in db
        """
        u_boot_console.restart_uboot()
        disk_img = efi_boot_env_intca
        with u_boot_console.log.section('Test Case 2a'):
            # Test Case 2a, unsigned and not authenticated by root CA
            output = u_boot_console.run_command_list([
                'host bind 0 %s' % disk_img,
                'fatload host 0:1 4000000 KEK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                'fatload host 0:1 4000000 PK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
            assert 'Failed to set EFI variable' not in ''.join(output)

            output = u_boot_console.run_command_list([
                'efidebug boot add -b 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc -s ""',
                'efidebug boot order 1',
                'efidebug test bootmgr'])
            assert '\'HELLO_abc\' failed' in ''.join(output)
            assert 'efi_bootmgr_load() returned: 26' in ''.join(output)

        with u_boot_console.log.section('Test Case 2b'):
            # Test Case 2b, signed and authenticated by root CA
            output = u_boot_console.run_command_list([
                'fatload host 0:1 4000000 db_b.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                'efidebug boot order 1',
                'efidebug test bootmgr'])
            assert '\'HELLO_abc\' failed' in ''.join(output)
            assert 'efi_bootmgr_load() returned: 26' in ''.join(output)

        with u_boot_console.log.section('Test Case 2c'):
            # Test Case 2c, signed and authenticated by root CA
            output = u_boot_console.run_command_list([
                'fatload host 0:1 4000000 db_c.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                'efidebug boot order 1',
                'efidebug test bootmgr'])
            assert 'Hello, world!' in ''.join(output)

    def test_efi_signed_image_intca3(self, u_boot_console, efi_boot_env_intca):
        """
        Test Case 3 - revoked by dbx
        """
        u_boot_console.restart_uboot()
        disk_img = efi_boot_env_intca
        with u_boot_console.log.section('Test Case 3a'):
            # Test Case 3a, revoked by int CA in dbx
            output = u_boot_console.run_command_list([
                'host bind 0 %s' % disk_img,
                'fatload host 0:1 4000000 dbx_b.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
                'fatload host 0:1 4000000 db_c.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
                'fatload host 0:1 4000000 KEK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
                'fatload host 0:1 4000000 PK.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
            assert 'Failed to set EFI variable' not in ''.join(output)

            output = u_boot_console.run_command_list([
                'efidebug boot add -b 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc -s ""',
                'efidebug boot order 1',
                'efidebug test bootmgr'])
            assert 'Hello, world!' in ''.join(output)
            # Or,
            # assert '\'HELLO_abc\' failed' in ''.join(output)
            # assert 'efi_bootmgr_load() returned: 26' in ''.join(output)

        with u_boot_console.log.section('Test Case 3b'):
            # Test Case 3b, revoked by root CA in dbx
            output = u_boot_console.run_command_list([
                'fatload host 0:1 4000000 dbx_c.auth',
                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
                'efidebug boot order 1',
                'efidebug test bootmgr'])
            assert '\'HELLO_abc\' failed' in ''.join(output)
            assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
Commit	Line	Data
e1174c56 AT	1	# SPDX-License-Identifier: GPL-2.0+
	2	# Copyright (c) 2020, Linaro Limited
	3	# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
	4	#
	5	# U-Boot UEFI: Image Authentication Test (signature with certificates chain)
	6
	7	"""
	8	This test verifies image authentication for a signed image which is signed
	9	by user certificate and contains additional intermediate certificates in its
	10	signature.
	11	"""
	12
	13	import pytest
	14
	15
	16	@pytest.mark.boardspec('sandbox')
	17	@pytest.mark.buildconfigspec('efi_secure_boot')
	18	@pytest.mark.buildconfigspec('cmd_efidebug')
	19	@pytest.mark.buildconfigspec('cmd_fat')
	20	@pytest.mark.buildconfigspec('cmd_nvedit_efi')
	21	@pytest.mark.slow
	22	class TestEfiSignedImageIntca(object):
	23	def test_efi_signed_image_intca1(self, u_boot_console, efi_boot_env_intca):
	24	"""
	25	Test Case 1 - authenticated by root CA in db
	26	"""
	27	u_boot_console.restart_uboot()
	28	disk_img = efi_boot_env_intca
	29	with u_boot_console.log.section('Test Case 1a'):
	30	# Test Case 1a, with no Int CA and not authenticated by root CA
	31	output = u_boot_console.run_command_list([
	32	'host bind 0 %s' % disk_img,
	33	'fatload host 0:1 4000000 db_c.auth',
2b3fbcb5	34	'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
e1174c56	35	'fatload host 0:1 4000000 KEK.auth',
2b3fbcb5	36	'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
e1174c56	37	'fatload host 0:1 4000000 PK.auth',
2b3fbcb5	38	'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
e1174c56 AT	39	assert 'Failed to set EFI variable' not in ''.join(output)
	40
	41	output = u_boot_console.run_command_list([
ce62b0f8	42	'efidebug boot add -b 1 HELLO_a host 0:1 /helloworld.efi.signed_a -s ""',
550862bc	43	'efidebug boot order 1',
e1174c56 AT	44	'efidebug test bootmgr'])
e1174c56 AT	45	assert '\'HELLO_a\' failed' in ''.join(output)
566f0673	46	assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
e1174c56 AT	47
	48	with u_boot_console.log.section('Test Case 1b'):
	49	# Test Case 1b, signed and authenticated by root CA
	50	output = u_boot_console.run_command_list([
ce62b0f8	51	'efidebug boot add -b 2 HELLO_ab host 0:1 /helloworld.efi.signed_ab -s ""',
550862bc	52	'efidebug boot order 2',
e1174c56 AT	53	'bootefi bootmgr'])
	54	assert 'Hello, world!' in ''.join(output)
	55
	56	def test_efi_signed_image_intca2(self, u_boot_console, efi_boot_env_intca):
	57	"""
	58	Test Case 2 - authenticated by root CA in db
	59	"""
	60	u_boot_console.restart_uboot()
	61	disk_img = efi_boot_env_intca
	62	with u_boot_console.log.section('Test Case 2a'):
	63	# Test Case 2a, unsigned and not authenticated by root CA
	64	output = u_boot_console.run_command_list([
	65	'host bind 0 %s' % disk_img,
	66	'fatload host 0:1 4000000 KEK.auth',
2b3fbcb5	67	'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
e1174c56	68	'fatload host 0:1 4000000 PK.auth',
2b3fbcb5	69	'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
e1174c56 AT	70	assert 'Failed to set EFI variable' not in ''.join(output)
	71
	72	output = u_boot_console.run_command_list([
ce62b0f8	73	'efidebug boot add -b 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc -s ""',
550862bc	74	'efidebug boot order 1',
e1174c56 AT	75	'efidebug test bootmgr'])
e1174c56 AT	76	assert '\'HELLO_abc\' failed' in ''.join(output)
566f0673	77	assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
e1174c56 AT	78
	79	with u_boot_console.log.section('Test Case 2b'):
	80	# Test Case 2b, signed and authenticated by root CA
	81	output = u_boot_console.run_command_list([
	82	'fatload host 0:1 4000000 db_b.auth',
2b3fbcb5	83	'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
550862bc	84	'efidebug boot order 1',
e1174c56 AT	85	'efidebug test bootmgr'])
e1174c56 AT	86	assert '\'HELLO_abc\' failed' in ''.join(output)
566f0673	87	assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
e1174c56 AT	88
	89	with u_boot_console.log.section('Test Case 2c'):
	90	# Test Case 2c, signed and authenticated by root CA
	91	output = u_boot_console.run_command_list([
	92	'fatload host 0:1 4000000 db_c.auth',
2b3fbcb5	93	'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
550862bc	94	'efidebug boot order 1',
e1174c56 AT	95	'efidebug test bootmgr'])
	96	assert 'Hello, world!' in ''.join(output)
	97
	98	def test_efi_signed_image_intca3(self, u_boot_console, efi_boot_env_intca):
	99	"""
	100	Test Case 3 - revoked by dbx
	101	"""
	102	u_boot_console.restart_uboot()
	103	disk_img = efi_boot_env_intca
	104	with u_boot_console.log.section('Test Case 3a'):
	105	# Test Case 3a, revoked by int CA in dbx
	106	output = u_boot_console.run_command_list([
	107	'host bind 0 %s' % disk_img,
	108	'fatload host 0:1 4000000 dbx_b.auth',
2b3fbcb5	109	'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
e1174c56	110	'fatload host 0:1 4000000 db_c.auth',
2b3fbcb5	111	'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
e1174c56	112	'fatload host 0:1 4000000 KEK.auth',
2b3fbcb5	113	'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
e1174c56	114	'fatload host 0:1 4000000 PK.auth',
2b3fbcb5	115	'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
e1174c56 AT	116	assert 'Failed to set EFI variable' not in ''.join(output)
	117
	118	output = u_boot_console.run_command_list([
ce62b0f8	119	'efidebug boot add -b 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc -s ""',
550862bc	120	'efidebug boot order 1',
e1174c56 AT	121	'efidebug test bootmgr'])
	122	assert 'Hello, world!' in ''.join(output)
	123	# Or,
	124	# assert '\'HELLO_abc\' failed' in ''.join(output)
566f0673	125	# assert 'efi_bootmgr_load() returned: 26' in ''.join(output)
e1174c56 AT	126
	127	with u_boot_console.log.section('Test Case 3b'):
	128	# Test Case 3b, revoked by root CA in dbx
	129	output = u_boot_console.run_command_list([
	130	'fatload host 0:1 4000000 dbx_c.auth',
2b3fbcb5	131	'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
550862bc	132	'efidebug boot order 1',
e1174c56 AT	133	'efidebug test bootmgr'])
e1174c56 AT	134	assert '\'HELLO_abc\' failed' in ''.join(output)
566f0673	135	assert 'efi_bootmgr_load() returned: 26' in ''.join(output)